Over the weekend, John, an attorney emailed me with a distressing question, “Howcansomeonesteal stocks from your portfolio? What protections do we have in place?”
The question emanated from a New York Times article (https://www.nytimes. com/2025/10/ 03/your-money/iravanguard- merrillacats- fraud.html) dealing with ACAT fraud.
ACAT (Automated Customer Account Transfer) fraud is a clever form of identify theft. It begins with a perpetrator gathering enough information on you to open a new account, pretending to be you.
Once they have enough information, they start opening accounts at other firms.
In this case, the victim had a Vanguard IRA. But the perpetrator opened an account with the same name, tax ID number and birthdate at Merril Lynch. Once the second account was opened, they processed an ACAT transfer. Typically, they try to insert a different mailing address, email or phone number once the new fake account is established.
More interestingly, the criminal knew exactly what securities were in the victim’s portfolio. As such, they knew exactly what to transfer.
In the expedited electronic world we live in, ACAT transfers take place in under a week. As such, if a criminal knows you will be out of the country or on vacation, this is the perfect time to strike.
Fortunately, the victim was proactive. And Merril and Vanguard realized something was wrong and reversed the transfer. However, this was only after $120,000 in securities had been fraudulently transferred.
We have seen an increase in this type of fraud recently. Given this, how can the average investor protect themselves from a similar disaster?
In thinking through this, a couple of observations are worth making.
Finding someone’s email, home address, date of birth and driver’s license number are quite easy to obtain. Getting a social security number is harder, but not impossible. As such, be very careful with this.
Opening a bank or brokerage account with a competent firm should be pretty difficult. However, many of the least experienced staff members start in the “new accounts” department. New accounts personnel are under pressure to open accounts as quickly as possible. Criminals prey upon this lack of experience and demand for speed.
My guess is the victim in question was not running proper cyber security on their email and account logins weren’t properly secured. Most likely, their statements with full holdings came to their hacked email.
If the victim was getting paper statements, they could be stolen from your mailbox. Other times account holders just toss them in the trash. Obviously, neither is wise. Make sure mail is delivered to a secure location.
Dave Sather is a Certified Financial Planner and the CEO of the Sather Financial Group, a fee-only strategic planning and investment management firm.
